(Originally published in TEISS on April 30, 2019)
The Internet of Things is revolutionizing the healthcare industry. From smart wearable monitoring devices that allow the remote measurement of blood pressure and glucose levels, to connected pacemakers, infusion pumps and defibrillators, the number of applications continues to grow.
In a healthcare setting, enormous quantities of data can be generated by and collected from a wide variety of IoT devices. The goal is then to correlate it, analyze it and take impactful action, such as making a specific treatment recommendation.
Given the potential of connected devices and solutions to reduce costs and errors, improve operational efficiencies and, most importantly, deliver better patient care, its little surprise that the demand for the Internet of Medical Things (IoMT) is growing. In a recent Deloitte survey, the company noted the IoMT market is projected to be worth $158 billion by 2022.
With smart medical devices being deployed at such a rapid pace, what’s the prognosis for consumers? Well, it’s a mixed bag. While such advances in technology improve patient care, the connectivity upon which these devices rely presents a risk to their security, and therefore to users.
Weak device authentication can leave a connected device open to exploitation by malicious actors seeking to access the wealth of valuable information held on the device or on its network.
Healthcare providers and device manufacturers alike must therefore take steps to tackle the device authentication and data security challenges the sector currently faces.
Hacking a connected medical device can allow criminals to exfiltrate valuable information. By intercepting the signals being transmitted by a pacemaker to its programmers, for example, university researchers were able to demonstrate how it was possible for criminals to steal a patient’s medical information.
The financial, reputational, and legal fallout from such a data breach can be serious. But in a worst case scenario, an attack on a medical device could have severe consequences for a patient’s safety.
In 2015, the FDA strongly urged hospitals to avoid using Hospira Inc.’s Symbig Infusion pump system due to potential cyber security vulnerabilities. In 2017, device manufacturer St. Jude Medical (now Abbott) was famously forced to release patches for security vulnerabilities in its remote monitoring system of pacemaker and defibrillator implants, with additional updates also being released in 2018.
In February of this year, Medtronic recalled 13,000 cardiac pacemakers due to a potential software error. Medtronic’s decision came on the heels of a widely-publicized hack of Medtronic pacemakers during the 2018 Black Hat cyber security conference in Las Vegas. The security researchers demonstrating the Medtronic vulnerabilities claim they were motivated by Medtronic’s slowness in responding to security flaws.
Fortunately, as far as anyone knows, patients have yet to experience any physical harm from these incidents. But, had the vulnerabilities not been identified and addressed, they could have resulted in physical harm or even death. It is vital, therefore, that the industry increase its focus on protecting from potential threats the increasing number of medical devices connected to the internet.
Securing the IoMT is dependent on authenticating connected devices as an important part of ensuring that each one can be trusted to do what it is expected of it. If organizations can’t trust the data and the devices producing it, why undertake the massive effort required to collect it, analyze it, and make medical decisions based on it?
By providing each device with a unique identity that can be authenticated whenever it attempts to connect to a gateway or central server, it’s possible to track its connection history and behaviour. Should a device behave in an unexpected way, an administrator can quarantine it or revoke its network privileges.
Two thirds of the respondents to a recent survey, however, cited the poor authentication capabilities of IoT devices as one of their main security concerns - and with good reason. Strong authentication, based on a root of trust embedded at the time of device manufacture, is a linchpin to enable lifecycle security for medical devices.
Assurance is required that the integrity of medical devices is maintained. It’s crucial, for example, that a device receives the correct information to ensure it carries out the right action – such as delivering the correct dosage or recording the right measurements – at the right time.
When a patient’s health is at stake, there should never be any doubt as to the integrity of the device and the data on which it relies.
Providing this assurance, therefore, requires a solution that protects both the transfer and receipt of this critical data, authenticates the addition of any new device to the network and establishes a root of trust and identity, and offers end-to-end encryption with strong key management.
Only with such provisions in place can healthcare providers be fully confident their connected devices are secure.
Security and safety
As practitioners and patients continue to embrace the benefits offered by wearable technology, telemedicine and greater connectivity across healthcare, the number of device installations is expected to rise from 125 to 161 million over the course of the next year.
And it’s only set to grow, with one in five healthcare IT professionals reporting having more than 5,000 devices connected to their organization’s network.
Each additional connection represents a potentially vulnerable endpoint, however, and as the IoMT grows, the opportunity for exploitation grows with it. It is vital, therefore, that healthcare providers take the steps necessary to protect the integrity of these devices - and the data that powers them - from external threats.
With a hardened system in place for issuing and managing device credentials, and the keys essential to establishing a root of trust, organizations can confidently deploy business-critical IoMT projects, assured of their security and the safety of their patients.
External support is also in the early stages, with the Medical Device and Health IT Joint Security Plan (JSP) recently forming to address challenges the industry is facing when securing and protecting itself against cyber security incidents.
Also making headway is the Medical Device Innovation, Safety, and Security Consortium (MDISS), which recently announced it had developed a series of best practices for securing connected medical devices. The best practices draw from widely used standards for industrial automation and control systems cyber security.
With the healthcare industry often criticized for its use of outdated, legacy technologies, the internet of things might just be the shake-up everyone has been waiting for, but whether it has a positive or negative impact all comes down to security.